CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4946 – Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect
https://notcve.org/view.php?id=CVE-2022-4946
11 May 2023 — The Frontend Post WordPress Plugin WordPress plugin through 2.8.4 does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain. The AccessPress Anonymous Post plugin for WordPress is vulnerable to Arbitrary Redirect in versions up to, and including, 2.8.4. This is due to insufficient validation on one of the attributes for one of its shortcodes. This makes it pos... • https://wpscan.com/vulnerability/6e222018-a3e0-4af0-846c-6f00b67dfbc0 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 25EXPL: 1CVE-2023-28661 – WP Popup Banners <= 1.2.5 - Authenticated (Subscriber+) SQL Injection via 'value'
https://notcve.org/view.php?id=CVE-2023-28661
20 Mar 2023 — The WP Popup Banners WordPress Plugin, version <= 1.2.5, is affected by an authenticated SQL injection vulnerability in the 'value' parameter in the get_popup_data action. The WP Popup Banners plugin for WordPress is vulnerable to a time-based SQL Injection via the 'value' parameter of the get_popup_data AJAX action in versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authe... • https://www.tenable.com/security/research/tra-2023-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26532 – WordPress Social Auto Poster Plugin <= 2.1.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-26532
28 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in AccessPress Themes Social Auto Poster plugin <= 2.1.4 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento AccessPress Themes Social Auto Poster en versiones <=2.1.4. The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the 'restore_settings' function. This makes it possible for unauthenticated att... • https://patchstack.com/database/vulnerability/accesspress-facebook-auto-post/wordpress-social-auto-poster-plugin-2-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26518 – WordPress WP TFeed Plugin <= 1.6.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-26518
28 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in AccessPress Themes WP TFeed plugin <= 1.6.9 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WP TFeed de AccessPress Themes en versiones <= 1.6.9. The WP TFeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.9. This is due to missing or incorrect nonce validation on the aptf_delete_cache function. This makes it possible for unauthenticated attackers to delete the plugin... • https://patchstack.com/database/vulnerability/accesspress-twitter-feed/wordpress-wp-tfeed-plugin-1-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 20EXPL: 1CVE-2023-0175 – Smart Logo Showcase Lite <= 1.1.9 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0175
21 Feb 2023 — The Responsive Clients Logo Gallery Plugin for WordPress plugin through 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Smart Logo Showcase Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.1.9 due to insufficient input ... • https://wpscan.com/vulnerability/cdcd3c2c-cb29-4b21-8d3d-7eafbc1d3098 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0628 – AP Mega Menu < 3.0.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0628
28 Feb 2022 — The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the _wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. El plugin Mega Menu de WordPress versiones anteriores a 3.0.8, no sanea y escapa del parámetro _wpnonce antes de devolverlo a la página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado The Mega Menu plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ param... • https://plugins.trac.wordpress.org/changeset/2684307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23912 – AP Custom Testimonial < 1.4.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-23912
25 Jan 2022 — The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not sanitise and escape the id parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting El plugin Testimonial WordPress Plugin de WordPress versiones anteriores a 1.4.7, no sanea y escapa el parámetro id antes de devolverlo en un atributo, conllevando a un ataque de tipo cross-Site Scripting Reflejado. The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not sanitise and escape the id p... • https://plugins.trac.wordpress.org/changeset/2664185 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23911 – AP Custom Testimonial < 1.4.8 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-23911
25 Jan 2022 — The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection El plugin Testimonial de WordPress versiones anteriores a 1.4.7, no comprueba ni escapa el parámetro id antes de usarlo en una sentencia SQL cuando es recuperado un testimonio para editarlo, conllevando a una Inyección SQL • https://plugins.trac.wordpress.org/changeset/2664185 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23976 – WordPress Access Demo Importer plugin <= 1.0.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Data Reset (Posts / Pages / Media)
https://notcve.org/view.php?id=CVE-2022-23976
24 Jan 2022 — Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media). Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Access Demo Importer versiones anteriores a 1.0.7 incluyéndola en WordPress, permite a un atacante restablecer todos los datos (posts / páginas / medios) The Access Demo Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.7 due to missing nonce v... • https://patchstack.com/database/vulnerability/access-demo-importer/wordpress-access-demo-importer-plugin-1-0-7-cross-site-request-forgery-csrf-vulnerability-leading-to-data-reset-posts-pages-media • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25107 – Form Store to DB < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25107
17 Jan 2022 — The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin El plugin Form Store to DB de WordPress versiones anteriores a 1.1.1, no sanea ni escapa las claves de los parámetros antes de devolverlos a la entrada creada, permitiendo a un atacante no autenticado llevar a cabo ataques de tipo Cross-Site Scripting contra el administrador • https://plugins.trac.wordpress.org/changeset/2657583 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •